Top EU judge eases pressure on post-Brexit data transfers

The UK Government’s plans for a swift withdrawal from the EU appear to have been given a major boost by the European Court of Justice which looks set to kick out claims that so called "standard contractual clauses" are illegal.

The move is the latest twist in a protracted legal case brought by privacy campaigner Max Schrems against Facebook. As far back as 2013, Schrems has argued that methods used by tech firms and thousands of others to transfer data outside EU - including Privacy Shield and SCCs - do not give consumers adequate protection from US surveillance.

The case was referred to the ECJ by the Irish High Court, which said there were well-founded concerns about "an absence of an effective remedy in US law compatible with EU legal requirements, which prohibit personal data being transferred to a country with inadequate privacy protections".

But, in an opinion published this week, Advocate General Henrik Saugmandsgaard Oe of the ECJ said the EU clauses are “valid”.

While he said it was not for the tribunal to rule on the legality of the separate Privacy Shield pact in this case, Saugmandsgaard Oe said the SCCs adopted by the European Commission provide a “general mechanism applicable to transfers irrespective of the third country of destination and the level of protection guaranteed there”.

While this advice is non-binding, opinions from the advocate general are typically followed by the court in a majority of cases. A ruling by the Luxembourg-based court usually follows several months later.

If the ECJ had ruled in Schrems’ favour, the options to ensure the free flow of personal data between the EU and UK post-Brexit would have been drastically reduced, given that an adequacy agreement could take many years to achieve.

Linklaters TMT partner Richard Cumbley said the decision will prompt a huge sigh of relief among European businesses that deal with affiliates or suppliers in the US.

He added: "It is also good news for the new Conservative Government in the UK and its ambitious timetable to achieve a trade deal by the end of 2020, as it makes the need for a so called adequacy finding less acute.

"The opinion suggests that standard contractual clauses remain a solid basis for transferring data outside the EU. They will therefore be an important tool for UK businesses to receive data from the EU post Brexit, and make an adequacy finding a desirable rather than critical aspect of the forthcoming trade negotiations."

Did you find this content useful?

Thank you for your input

Thank you for your feedback

Next read

Talk of contact tracing apps to tackle COVID-19 serves to highlight the difficult balance between using data to personalise services and robust data protection. Whether your organisation is involved in building these solutions or not, Craig Suckling of IAG Loyalty suggests there are four principles to keep you on the right side of your customers.

You may also be interested in

Fraud costs the government an estimated £31 billion to £49 billion a year. To tackle thist, reforms to the government’s anti-fraud efforts are vital. Satrajit "Satty" Saha of TransUnion in the UK explains how commercial data organisations can play their part.

In this edition, Cathy Pendleton, senior data governance manager at Compare the Market, talks to DataIQ about how to make the protection of data an enabler of new business processes and why this is proving to be an attractive new career option in the industry. Plus diversity at Hastings Direct and KPMG.

Leyre Murillo-Villar is chief data officer and data control lead at BNP Paribas. She is also a member of the Women in Data 20 in Data and Tech list. She told DataIQ about the need to close the gender gap and how data is at the heart of managing risk.